I’m working on a setup using Kirby as a headless CMS. As the front-end is not running on the same server as the CMS (it’s running on Netlify), we’re using the only other option Basic-Auth to authenticate for the API. Now I realized that the user created for the authentication also has panel rights, and as the authentication happens through a base64 string it can easily be reverted to the login data. Changing the user permissions to panel:false doesn’t allow to access the API anymore, so the only option is to basically setting the access of that user to false on nearly everything besides panel. Still the user can login into the panel and see some information, which doesn’t feel right.
Is there any nicer/cleaner way to solve this problem?